Botlab

1. Botlab Presented by Aaron Ballew

2. Context • Prior Work • Analyze incoming spam • Characterizes aggregate behavior • Reverse engineer a few bots • Not timely or scalable, due to all the clever ways bad guys use to obfuscate their bots • Botlab analyzes incoming spam, but also compares it to outgoing spam generated by captive bots

3. Botlab • Real-time monitoring • Consumes incoming spam to get the latest & greatest “binaries” • Uses captive bots to send outgoing spam as ground-truth • Correlate the two to determine which botnets are most active at the moment, among other things • Network fingerprint [protocol, ip, dns addy, port] based on current behavior, rather than reverse engineering. Things change too fast to reverse engineer everything. • To be safe, the captive bots are sandboxed • Still have to let a little traffic out to reach C&C (bad guy) servers • That traffic is run through an anonymizer first, so the bad guys don’t know they’re being monitored.

4. Results • Better spam filtering • Created a Firefox plugin that blocked 40,000 malicious links, while two traditional blacklist techniques missed them all. • Similar result with Google mail • Found that 6 botnets generate 79% of the spam hitting UW • Estimated the size of the spam lists at 4 major botnets

5. Botlab Conclusion • Determines what botnets are doing what • Adapts to changes in botnets’ behavior • Produces info on the fly • Causes no harm